• State Not Answered
  • Replies 3 replies
  • Subscribers 72 subscribers
  • Views 86 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 341496
Options

TLS handshake fails with Alert (Level: Fatal, Description: Unknown CA):

SST

It seems I cannot post a full explanation of context so here is the short version. Ill add detail after.

Devices in field all suddenly unable to connect to GCP host.

Problem simplified to https_client sample with url changed to run.app and certificate changed to WR2.

Modem trace shows handshake terminating with TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

Given that I can connect with the same certificate and cipher using curl. Is this a bug? How should I proceed?

  • 0

    Here is the curl line:

    curl -v --tlsv1.2 --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 --cacert wr2.pem --request POST --data 'test' https://run.app/

    The certificate is here (It seems I cannot attach it):

    https://i.pki.goog/wr2.pem

  • 0

    Hi,

     

    I downloaded wr2.pem from here:

    https://pki.goog/repository/

     

    Did a quickfix to avoid changing main.c:

    diff --git a/samples/net/https_client/CMakeLists.txt b/samples/net/https_client/CMakeLists.txt
index 2a937786ed..975b511569 100644
--- a/samples/net/https_client/CMakeLists.txt
+++ b/samples/net/https_client/CMakeLists.txt
@@ -14,7 +14,7 @@ set(gen_dir ${CMAKE_CURRENT_BINARY_DIR}/certs)
 zephyr_include_directories(${gen_dir})
 generate_inc_file_for_target(
     app
-    cert/DigiCertGlobalG2.pem
+    cert/wr2.pem
     ${gen_dir}/DigiCertGlobalG2.pem.inc
     )

    and set CONFIG_HTTPS_HOSTNAME="run.app" 

    Here's the output:

    *** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
HTTPS client sample started
Bringing network interface up
[00:00:00.536,163] <inf> nrf_modem_lib_trace: Trace thread ready
[00:00:00.543,640] <inf> nrf_modem_lib_trace: Trace level override: 2
Provisioning certificate
Certificate match
Connecting to the network
+CEREG: 2,"8169","014ACE00",7
+CSCON: 1
+CSCON: 0
+CSCON: 1
+CGEV: ME PDN ACT 0
%MDMEV: SEARCH STATUS 2
+CEREG: 1,"8169","014ACE00",7,,,"00001010","11000001"
Network connectivity established and IP address assigned
Looking up run.app
+CGEV: IPV6 0
Resolved 216.239.32.53 (AF_INET)
Connecting to run.app:443
Sent 57 bytes
Received 207 bytes

>        HTTP/1.1 404 Not Found

Finished, closing socket.
+CGEV: ME PDN DEACT 0
+CEREG: 0
+CGEV: ME DETACH
+CSCON: 0
Network connectivity lost
Disconnected from the network

    And pcapng: 341496_.pcapng

     

    Q1: What mfw are you using?

    Q2: Have you checked that the wr2.pem is updated on your end?

    Your comment indicate that you use the latest.

    Q3: Could you add a top-level root CA to another tag in addition? wr2 is a intermediate cert.

      

    Kind regards,

    Håkon

Related
Terms of service